IP Spoofing Vulnerability in Caddy 2 Middleware by Shift72
CVE-2023-50463

6.5MEDIUM

Key Information:

Vendor: Caddyserver
Status: Caddy
Vendor: CVE Published:; 10 December 2023

🔔 Create Caddyserver Vulnerability Alert

What is CVE-2023-50463?

The caddy-geo-ip middleware for Caddy 2 is vulnerable to IP spoofing when using the trust_header X-Forwarded-For configuration. This flaw allows attackers to manipulate the X-Forwarded-For header to forge their source IP address, potentially bypassing security measures such as the trusted_proxy directive in reverse_proxy or IP address range restrictions, undermining the integrity of traffic handling and posing significant risks to the application.

References

https://github.com/shift72/caddy-geo-ip/issues/4

https://github.com/shift72/caddy-geo-ip/tags

https://caddyserver.com/v2

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 10, 2023
Vulnerability Reserved
Dec 10, 2023

CVE-2023-50463 Data

JSON